Bug 440195

Summary: Feature request: Support for directory level audit with recursion before 2.6.24 kernel and above at userspace
Product: [Fedora] Fedora Reporter: abhishek <abhikiki>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 8   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-25 18:32:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
This patch add directory level audit with recursion feature in userspace none

Description abhishek 2008-04-02 07:37:09 UTC 
Description of problem:

Before kernel 2.6.24 there is no support for recursive directory level audit.If
there are number of files and subdirectories in a parent directory and we want 
to add watch on all the files then we have to put watch on all the files and
directories explicitly.Even userlevel support for this from 2.6.24 kernel  is
not available till now.Organisations does not frequently migrate from one kernel
version to other frequently.Like if they are using 2.6.22 kernel,they will not
switch immediately to 2.6.24. This patch will add the feature in userspace which
will work for kernel versions  before 2.6.24 and above.And will make the task easy. 

Version-Release number of selected component (if applicable):
audit-1.7

How reproducible:


Steps to Reproduce:
1.patch should be applied to auditctl.c file present in audit-1.7 component
2.then install audit-1.7 component
3.To add watch on files and subdirectories present in a directory,type the 
command below 
4.auditctl -Z path/to/directory -p rwx 
  
Actual results:
All files within the directory and subdirectory will be watched.

Expected results:


Additional info:
Comment 1 abhishek 2008-04-02 07:37:09 UTC 
Created attachment 300021 [details]
This patch add directory level audit with recursion feature in userspace
Comment 2 Steve Grubb 2008-04-04 16:35:32 UTC 
Hi...first, thanks for the patch. 

But I'm not sure this is a good idea since it does not provide complete
coverage. IOW, if you have a rule for /etc and a new file goes into /etc and its
edited, the rule will not pick it up since auditctl builds a list at the time it
applies the rule instead of continuously. Its for this reason we opted to
provide coverage in the kernel rather than user space.

Also, auditctl -l takes the rules and reformats them to appear as close as
possible to the rule that is in the audit.rules file. I don't think this patch
can figure out what the original rule is unless its does a lot of extra processing.
Comment 3 Steve Grubb 2008-09-25 18:32:16 UTC 
I do appreciate the patch, but I don't think I can merge it with the current code base (see comment #2). Thank you for the offer, though.